summaryrefslogtreecommitdiffstats
path: root/server/api/users.js
diff options
context:
space:
mode:
authorJannik Schönartz2019-02-26 08:23:12 +0100
committerJannik Schönartz2019-02-26 08:23:12 +0100
commite08e3feec4b329bd249f595ba807c9fbae3c282d (patch)
treee01d69b3304bea1c21674436a27901c040b9bf03 /server/api/users.js
parent[authentication] Rewrite code in async/await, fix edit account module (diff)
downloadbas-e08e3feec4b329bd249f595ba807c9fbae3c282d.tar.gz
bas-e08e3feec4b329bd249f595ba807c9fbae3c282d.tar.xz
bas-e08e3feec4b329bd249f595ba807c9fbae3c282d.zip
[permissionmanager] Fix security bug: Code was executed weather the user had the permission or not
Diffstat (limited to 'server/api/users.js')
-rw-r--r--server/api/users.js5
1 files changed, 2 insertions, 3 deletions
diff --git a/server/api/users.js b/server/api/users.js
index a754155..a297033 100644
--- a/server/api/users.js
+++ b/server/api/users.js
@@ -44,9 +44,8 @@ router.getAsync('/:id', async (req, res) => {
// Post request for adding roles to users.
router.postAsync('/:id/roles', async (req, res) => {
- if (!await req.user.hasPermission('permissions.grantrevoke')) {
- res.status(403).end()
- }
+ if (!await req.user.hasPermission('permissions.grantrevoke')) return res.status(403).end()
+
const id = req.params.id === 'current' ? req.user.id : req.params.id
const user = await db.user.findOne({ where: { id } })
if (user) {